Authorization Inspect

What does this tool do?

Split Authorization to list the scheme (Basic/Bearer/ApiKey, etc.) and a summary of the value.

Useful for diagnosing 401/403, verifying token formats, and spotting header mistakes.

Basics (role of Authorization)

• Authorization carries client credentials.
• Auth type is identified by the scheme (Basic/Bearer, etc.).
• 401 responses usually include WWW-Authenticate.

Input examples

• Authorization: Bearer eyJhbGciOi...
• Authorization: Basic dXNlcjpwYXNz
• Paste full Request Headers

Common schemes

• Bearer: access token (e.g., JWT)
• Basic: ID/password (Base64)
• ApiKey / Token: custom API key schemes

Bearer (JWT, etc.) key points

• Check JWT-like format (3 Base64url segments)
• Check exp/iat/nbf time claims
• Verify signatures with JWT Verifier

Basic auth key points

• Base64 is reversible; use HTTPS.
• Username/password are separated by ":" in Basic.

Common pitfalls

• Sending “Token” or another scheme instead of Bearer
• Authorization missing; relying only on Cookie
• Token expired causing 401
• CORS preflight fails because Authorization is not allowed

Debugging workflow (recommended)

• Extract Authorization via Request Headers Parser
• Use this tool to check scheme and format
• Check 401 requirements with WWW-Authenticate Inspect

Related tools

• WWW-Authenticate Inspect
• HTTP Status Inspect
• Request Headers Parser
• JWT Decoder
• JWT Verifier

What this tool does

• Show Authorization scheme and value summary
• Help identify Basic/Bearer
• Lightweight JWT format check

Operational notes

• Result output alone is not enough for trust decisions. Always validate signatures and issuer.
• Clock skew and environment differences affect reproducibility, so record test time and settings.

Referenced specs

• RFC 9110 (HTTP Semantics)
• RFC 7617 (Basic)
• RFC 6750 (Bearer Token)
• MDN: Authorization

FAQ

References

1. RFC 9110
2. RFC 7617
3. RFC 6750
4. MDN: Authorization
5. MDN: HTTP authentication

Page-specific case studies

This page inspects Authorization header format to catch common implementation mistakes early.

• Check Bearer prefix presence and spacing format.
• Validate Basic auth base64 structure.
• Detect conflicting multiple Authorization headers.

Page-specific implementation checklist

• Confirm gateway forwards Authorization headers correctly.
• Validate accepted Authorization schemes strictly on server side.
• Mask token values in logs.
• Standardize header generation in client SDKs.

Next to view (diagnostic order)

These links are generated from site_map rules in recommended diagnostic order.

1. JWT 401/403 Diagnostic Playbook — Separate 401 and 403 using Authorization, WWW-Authenticate, claims, and signature checks
2. JWT Decoder vs Verifier — Clarify decode vs signature verification roles and connect to 401/403 troubleshooting flow
3. WWW-Authenticate Inspect — Parse WWW-Authenticate challenges
4. JWT Verifier — Verify JWT signatures (HS/RS/ES)
5. JWT Clock Skew Check — Detect timestamp skew across iat/nbf/exp
6. JWT TTL Check — Calculate validity window and remaining TTL from exp/iat/nbf
7. OAuth Bearer Diagnostic — Diagnose consistency between Bearer and WWW-Authenticate
8. JWT 401/403 Troubleshooting — Troubleshoot 401/403 auth failures from headers and JWT claims

Same-theme links

Auth

Trace auth failures across Bearer, WWW-Authenticate, and JWT

• OAuth Bearer Diagnostic — Diagnose consistency between Bearer and WWW-Authenticate
• JWT 401/403 Troubleshooting — Troubleshoot 401/403 auth failures from headers and JWT claims
• JWT Claim Audit — Audit missing required/recommended JWT claims
• JWT TTL Check — Calculate validity window and remaining TTL from exp/iat/nbf
• JWT Clock Skew Check — Detect timestamp skew across iat/nbf/exp
• WWW-Authenticate Inspect — Parse WWW-Authenticate challenges
• JWT Decoder — Decode and pretty-print JWT header/payload
• JWT Verifier — Verify JWT signatures (HS/RS/ES)